Script Commands for Android Enterprise: Managed Devices

Use the options and examples below to help you create your own powerful script commands.

Note: Not all script commands are compatible with all devices within a platform. Limitations are noted in the table entries.
Tip: You can also use JavaScript to create and send scripts to your Android Plus devices. See Android Plus JavaScript Scripts for details.


Format Meaning
text Enter the command exactly as shown.
text Replace with the requested information.
[text] Information contained within square brackets is optional to the command.
text|text Choose one of the options separated by the vertical pipe.


Command Syntax

Enables or disables the administrator mode on a device in lockdown mode.

_adminmode on|off

Prevents the device user from uninstalling an application that was installed using packages.

afw_prevent_uninstall bundleID enable|disable

Where bundleID is the bundle id of the application whose uninstallation you want to prevent.


To prevent the device user from uninstalling the Google Photos app:

afw_prevent_uninstall enable

Grants specified permissions to specified applications. You cannot grant special permissions such as Draw Over or Usage Access, to third party applications.

afw_set_permission_grant_state packageName disable|enable

Sets the default response for future runtime permission requests by the SOTI MobiControl device agent.

afw_set_permission_policy prompt|grant|deny|clear


  • prompt prompts the device user for all permissions
  • grant automatically grants all permissions that an application requires
  • deny automatically denies all permissions that an application requires
  • clear resets the policy to the agent define default state

Enables or disables the Android Enterprise work profile.

afw_work_profile enable|disable

Retrieves the current agent mode (user or administrator) of a device with lockdown mode applied and displays it in the Logs section of the Device Information panel.


Deletes a certificate on the device.

Note: You can only use certdelete to remove certificates that were installed by SOTI MobiControl unless the device has a Samsung ELM agent installed, in which case certdelete will remove any specified certificates.
certdelete -issuer "IssuerName" -sn "SerialNumber" -storage "storage"


  • IssuerName is the common name of the certificate issuer
  • SerialNumber is the serial number of the certificate
  • storage is the type of storage into which to import the certificate


To delete a certificate issued by

certdelete -issuer "*" -sn 00A03DB42A7841AFF5


Prompts the device agent to attempt to connect to the deployment server.

connect [-f]

Where -f forces the device agent to connect regardless of configuration or setup settings.


To connect to the deployment server regardless of configuration or setup settings:

connect -f


Renames a device.

devrename newDeviceName

If the name contains spaces, use quotation marks


To change the name of a device to Apricot Candy:

devrename "Apricot Candy"


Disconnects the device from the SOTI MobiControl deployment server.

_efota _efota enroll|upgrade corpID targetVersion where corpID is the customer ID and targetVersion is the Samsung firmware version.

Adds or removes the Samsung ELM agent to/from Android Doze Mode whitelist, enabling the agent to circumvent battery optimizations that limit connectivity between the agent and the deployment server.

Available on Samsung devices running Android 6.0 or later and Knox Standard SDK 5.7 or later.

elm_awaken 0|1


To add ELM agent to whitelist:

elm_awaken 1

To remove ELM agent from whitelist:

elm_awaken 0


Allows a system application on the device to be used in the Android Enterprise container.

Note: Only applications that are included in the device's firmware can be used in this command.
enable_system_app appBundleID


To add Google Chrome to the Android Enterprise container:



Copies a file or directory from an ftp server.

ftp [get|mget|wget] [-r,-o] source destination


  • get copies a file on the ftp server to the local computer
  • wget copies a file on the local computer to the ftp server
  • -r specifies recursive
  • -o specifies to override existing files


To copy a file from ftp to local SD card on the device:

ftp get -o

To copy a folder from the device to ftp server:

ftp wget -o -r ftp:://user:password@server/folder %sdcard%www


Downloads files using the HTTP protocol.

httpget URL localPath

Identifies the current top activity on the device.


Installs an application on the device.

install appInstallerPath

Where appInstallerPath is the full path to the application installer file on the device


To install the Gmail app located on an sd card:

install /mnt/sdcard/Gmail.apk


Installs a system update from the specified file.

Note: This command cannot be used on encrypted devices. Use the sendintent command instead.
install_system_update filename


To install a system update from a file on an SD card:

install_system_update /sdcard/

Note: If /sdcard does not work, use /storage/sdcard0 instead, as in:

install_system_update /storage/sdcard0/


Turns the device screen off and locks device until device user enters the correct password.


Sends a customs message to the SOTI MobiControl deployment server from the device. This message appears in the Logs tab of the Device Information panel in the SOTI MobiControl console.

log type message

Where type is the type of the associated message and the options are:

  • -e for Error
  • -w for Warning
  • -i for Information


To send a notification to the SOTI MobiControl console at certain intervals during a software push:

Note: Put the command in the pre-install script

log -i "Starting Software Push"


Submits XML configuration instructions to the MX layer of the device.

Note: This script command is only applicable on Zebra Android devices. mxconfig uses the StageNow XML format (MXMS)
mxconfig xmlFilepath


mxconfig /sdcard/test.xml

notify kiosk

Enables or disables lockdown mode on the device.

notify kiosk on | off

Lists all the activities of an application package.

read_activities packageName

Sends a request to the device prompting the device user to grant the specified permissions.

request_appops_permission permissionName where the permissionName can be one of:
  • SYSTEM_ALERT_WINDOW requests the Draw Over permission. Requires an Android Classic or Enterprise agent of 13.5.2 or later
  • PACKAGE_USAGE_STATS requests the Usage Access permission. Requires an Android Classic or Enterprise agent of 13.6.1 or later
  • BIND_NOTIFICATION_LISTENER_SERVICE requests the Notification Access permission. Requires an Android Classic or Enterprise agent of 13.6.1 or later.
  • WRITE_SETTINGS requests the Modify System Settings permission. Requires an Android Classic or Enterprise agent of 13.7.0 or later

Where possible, the permissions are granted silently.


Requests permission from the device user to send bug reports back to SOTI MobiControl.


Performs a soft or hard reset of the device.

reset [/S | /H | /W | /E] [/delaysec]


  • /S is the default option and soft resets the device. Any desktop remote control sessions will also be terminated.
  • /H is used to hard reset a device running on the Windows Pocket PC or Windows CE platforms. It clears any data stored in the volatile memory. On Windows Mobile 5.0 and later devices this is equivalent to a soft reset. The real-time clock may also reset depending on the device make and model.
  • /W is used to wipe data stored on the device and reset the device to factory default settings.
    Note: The wipe command is only supported on the Windows Mobile 5 operating system with AKU2 or later and newer versions of Windows Mobile.
  • /E is used to wipe data stored on the device and its external storage as well as reset the device to factory default settings.
  • /P is used to bypass factory reset protection. It is only supported on Android Enterprise Work Managed devices.

On Android Plus devices it is possible to specify a /delay parameter (in seconds): reset /S /delay 10

If /delay parameter is not defined, the default value is 5 seconds


To soft reset a device:

reset /S

To reset an Android Plus device to its factory settings in 30 seconds:

reset /E /delay 30


Resets the remote control detection attempt counter.


Clears proxy configuration settings for the specified SSID (which should exist on the device before sending the command).

Note: Supported on devices running Android 4.0 or later.
resetwifiproxy ssid


To reset a proxy configuration for SSID 105:

resetwifiproxy 105


Restarts the device agent.


As of Android agent v14.3.1, the agent waits until it's idle before it restarts (generally less than 10 seconds). Add --immediately if you want to restart the agent as soon as the script is received. Earlier versions of the agent restart immediately.


Sets the zoom level in the SOTI Surf app.


Where value is a percentage that represents the level of zoom.


To set the zoom level of the SOTI Surf app to 400%:



Controls whether device users can use gestures (like pinch to zoom) to magnify web pages opened in the SOTI Surf app.



  • 0 enables zoom gestures
  • 1 disables zoom gestures


To disable zoom gestures in the SOTI Surf app:



Controls whether cookies from third-party domains (that is, domains beyond the site the user is currently visiting) are blocked on SOTI Surf.



  • 0 blocks third-party cookies
  • 1 allows third-party cookies


To allow third-party cookies in the SOTI Surf app:



Turns on or off media auto-play and controls SOTI Surf access to the device camera.


Where 0 turns on media auto-play and 1 turns off media auto-play.


To turn on media auto-play and grant SOTI Surf access to the device camera:



Sends a debug report from the device agent to the SOTI ftp server.


Configures the system update policy for Android devices with work feature enabled.

Note: Supported on Android Enterprise Managed Devices running Android 6.0 or later with an agent of 13.8.x or earlier.

Devices with later agents (13.9.0+) should use either writeprivateprofstring (see The writeprivateprofstring Command for an example) or the System Update Policy profile configuration instead.

set_system_update_policy policy type [startTime] [endTime]


  • policy type specifies the behavior of the update policy with the following options:
    • 0 is the default option and represents the platform's default behavior
    • 1 is Automatic. The system update installs automatically as soon as an update is available
    • 2 is Windowed. The system update is only installed automatically when the system clock is inside a daily maintenance window. If the update is not installed within 30 days, the system reverts to the default policy.
    • 3 is Postpone. The system update is postponed for 30 days. After 30 days, the system reverts to the default policy.
      Note: Rebooting the device can remove the script and unblock the system update.
  • startTime is the start of the maintenance window. Only applicable on the Windowed policy type. Time
  • endTime is the end of the maintenance window. Only applicable on the Windowed policy type.
Note: For the Windowed policy, time parameters are measured as the number of minutes from midnight in the device's local time. They range from 0-1440.

If the start and end times are the same, the window includes the whole 24 hours, that is, updates can install at any time. If the start time is later than the end time, the window spans midnight.


To set the system update policy as default:

set_system_update_policy 0

To set the system update policy as windowed with the maintenance window set to occur from 11 pm to 3 am:

set_system_update_policy 2 1380 180


Sets WiFi proxy settings using a provided PAC file. The access point ID should exist on the device before sending this command.

Note: Supported on devices running Android 4.0.
setwifipacurl ssid PACfileURL


To set up a WiFi proxy using a PAC file:

setwifipacurl 105


Sets WiFi proxy settings using a provided host and port for the specified SSID. The access point ID should exist on the device before sending this command.

Note: Supported on devices running Android 4.0.
setwifiproxy ssid host port


To set up a WiFi proxy:

setwifiproxy 105 8080


Displays a message box on the device screen.

Note: The Android Plus agent has the following limitations:
  • It does not support a complex showmessagebox that contains more than one command
  • It cannot return the user response
  • It does not support "if" and related keywords
showmessagebox message [timer] [type] [default button] [action]


  • message is the message displayed in the message box. Use quotation marks (" ") if there are spaces in the message.
  • [timer] is the number of seconds until the message box disappears automatically. If you omit a timer value or add the keyword NO_TIMER, the message box will persist until the device user dismisses it.
  • [type] is type of of message box. Options are:
    • 1 displays an information window with an OK button
    • 2 displays a question window with Yes and No buttons
    • 3 displays a warning window with an OK button
    • 4 displays a question window with OK and Cancel buttons
    • 5 displays an error window with an OK button
  • [default button] sets the default buttons for message box types 2 (YES | NO) or 4 (OK | CANCEL)
  • NOTIFY_DEVICE notifies the device user of the message, depending on the notification settings applied to the device. That is, devices set to ring, will ring, set to vibrate, will vibrate, and muted devices will have no notification. Only supported on Android Plus devices with agents 14.0.0 or later.

The return values for the showmessagebox are stored in a global variable, ShowMessageBoxReturn This variable can be used in scripts as %ShowMessageBoxReturn% to execute actions based on user response. Possible return values are IDYES, IDNO, IDOK, IDCANCEL. The value for this global variable does not change if the type is not 2 or 4.


To show a simple message:

showmessagebox "This is a test message"

To provide device information using a macro:

showmessagebox "Your device's IP address is %IP%"

To set a 3 second timer to your message:

showmessagebox "This is a test message with a 3 second timer" 3

To add YES and NO buttons to your message box with no timer

showmessagebox "This is a test message with Yes/No button and no timer" NO_TIMER 2

To provide followup actions to a user response to message box:

showmessagebox "Abort the operation?" NO_TIMER 4 YES
if %ShowMessageBoxReturn% == IDYES goto Exit

Initiates sleep mode on the device for a set period. Only use this command in scripts.

sleep [length]

Where length is in seconds


To set the device to sleep for 5 seconds:

sleep 5


Initiates sleep mode on the device for a set period. Only use this command in scripts.

sleep [length]

Where length is in milliseconds


To set the device to sleep for 3.5 seconds:

sleep 3500


Removes the specified program from the device.

uninstall program [force]


  • program is the program ID for the program you want to uninstall
  • force forces uninstallation of the program, even if it is a system application


To remove the program Google Maps:



Unlocks the device and dismisses the password lock screen.


Enables or disables WiFi mobile access point.

Note: Supported on devices running Android 4.0 to 8.0.
wifiapenable 0|1

Where 0 disables WiFi and 1 enables WiFi


To disable WiFi:

wifiapenable 0


Wipes application data for the specified application from the device.

wipeapplication packageName

Saves or deletes specified settings on a device.

See The writeprivateprofstring Command for more information.